Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
GitLab
GitLab
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 34,827
    • Issues 34,827
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge Requests 1,186
    • Merge Requests 1,186
  • Requirements
    • Requirements
    • List
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Security & Compliance
    • Security & Compliance
    • Dependency List
    • License Compliance
  • Operations
    • Operations
    • Metrics
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #32291

Closed
Open
Opened Sep 18, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

ESCALATED: 2FA not enforced on /profile/applications

HackerOne report #691477 by brdoors3 on 2019-09-10, assigned to hackerjuan:

Hi team,

I found one access control related to your feature 'Enforcing 2FA for all users' on https://gitlab.com/

POC

1 access one group and enforce the 2FA for all users

In this test I used one grace period of 1 hour

2 after 1 hour access again https://gitlab.com

The user will be redirected to https://gitlab.com/profile/two_factor_auth

3 try to access some other areas

All pages redirect to https://gitlab.com/profile/two_factor_auth (expected behavior)

4 access https://gitlab.com/profile/applications

The 2FA is not enforced on this page. I can create and delete applications without any 2FA active

POC video attached

Impact

In this scenario after grace period has elapsed one user can access and make any change on https://gitlab.com/profile/applications

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • gitlab.PNG
  • gitlab_poc.mp4
Edited Dec 28, 2019 by GitLab SecurityBot
Assignee
Assign to
Next 3-4 releases
Milestone
Next 3-4 releases
Assign milestone
Time tracking
Nov 23, 2019
Due date
Nov 23, 2019
Reference: gitlab-org/gitlab#32291